What is the CVSS score of CVE-2025-68455?

CVE-2025-68455 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.1%.

Which versions of Craft Cms are affected by CVE-2025-68455?

Organizations using Craft face moderate risk from CVE-2025-68455 rated CVSS 7.2. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-68455?

Yes, a public proof-of-concept exploit is available for CVE-2025-68455. Prioritise patching immediately. EPSS: 1.1%.

How to fix or mitigate CVE-2025-68455?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Craft Cms CVE-2025-68455

HIGH

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)

2026-01-05 security-advisories@github.com

GHSA-255j-qw47-wjh5

RCE Craft Cms

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 18:21 vuln.today

Public exploit code

Patch released

Jan 12, 2026 - 18:21 nvd

Patch available

CVE Published

Jan 05, 2026 - 22:15 nvd

HIGH 7.2

DescriptionNVD

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

AnalysisAI

Technical ContextAI

Affects Craft Cms. Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

CVE-2025-68455 vulnerability details – vuln.today

Back

Craft Cms CVE-2025-68455

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code